Server-Side Request Forgery (SSRF) vulnerability in Next.js Server Actions
CVE-2024-34351
Key Information:
- Vendor
- Vercel
- Status
- Next.js
- Vendor
- CVE Published:
- 14 May 2024
Badges
What is CVE-2024-34351?
CVE-2024-34351 is a vulnerability found in Next.js, a popular React framework that assists developers in building web applications. The vulnerability is characterized as a Server-Side Request Forgery (SSRF) issue that arises when a specific set of conditions is met, allowing an attacker to manipulate the Host
header. If exploited, an attacker could make requests that seem to originate from the Next.js server itself, potentially leading to unauthorized access to internal resources. This situation can significantly jeopardize the integrity and confidentiality of data managed by web applications utilizing Next.js, affecting organizations that rely on this framework for their web solutions.
Technical Details
The SSRF vulnerability occurs under three specific conditions:
- Next.js must be self-hosted.
- The application must employ Server Actions.
- The Server Action must redirect to a relative path that begins with a
/
.
When these conditions align, an attacker can exploit the vulnerability by modifying the Host
header, leading to unauthorized requests executed by the server. This flaw was addressed in the Next.js version 14.1.1, where mitigations were implemented to prevent such exploitation.
Impact of the Vulnerability
-
Unauthorized Access: By exploiting CVE-2024-34351, an attacker could gain unauthorized access to internal servers and resources, potentially exposing sensitive information and leading to data breaches.
-
Internal Resource Mapping: Attackers may use this vulnerability to map internal resources, discovering additional vulnerabilities or information that can be leveraged for further attacks.
-
Compromised Application Integrity: The ability to manipulate requests as if they were coming from the server can result in actions that compromise the integrity of the application, including data manipulation or denial-of-service conditions.
Affected Version(s)
next.js >= 13.4.0, < 14.1.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
References
CVSS V3.1
Timeline
- π‘
Public PoC available
Vulnerability published
- πΎ
Exploit known to exist
- π°
First article discovered by CybersecurityNews
- π₯
Vulnerability reached the number 1 worldwide trending spot
- π
Vulnerability started trending
Vulnerability Reserved